Slashdot Mirror
Computer With UK Bank Customer Data Sold On eBay
Walpurgiss tips a BBC News story about a man in Oxford who paid $140 for a computer on eBay, and was shocked to find on it bank records of several million customers of the Royal Bank of Scotland, its subsidiary Natwest, and one other bank. "Mr. Chapman said anyone with a basic knowledge of computer software would have been able to find the data fairly simply. 'The information was in back-up CDs and in ISO files so it would have been possibly quite easy to find...,' he said."
Kudos for him for speaking up rather than trying to abuse the situation.
http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
...Really Bad Security instead of Royal Bank of Scotland.
I bought a pair of SGI Origin 200 machines that contained names, credit cards, and enough data to be a real problem for many thousands of people. The labels on the machines listed them as from @home which had closed their doors. I did the dd if=/dev/zero dance and reinstalled IRIX.
Somebody should have set a much higher reserve price.
If you're dumb enough to make a backup CD and then save the ISO onto the hard drive just in case the hard drive crashes, you're dumb enough to sell it on ebay without wiping it. I suppose this could have been some sort of backup storage server and not the computer that actually contained the data to be backed up but for that price it's a little unlikely.
Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
The thief who stole it?
So in the article, they say that they expect him to hand "it" back.. does that means that the poor guy who paid 77£ to give back the computer for free?
Personally i'd charge a hefty sum to make them get back that computer, just to make them remember that he paid and he was nice enough to tell them.
Once again I am reminded of the boundlessness of human stupidity.
2 or more departments in the chain, that don't talk to each other.
IT, who removes it from the desk or floor. They are 'supposed' to wipe it. They don't, for whatever reason.
Disposal dept, gets a stack of random PC's to dispose of. "IT", according to policy, was supposed to have sanitized them, so Disposal never powers them up to check (doesn't have the time or resources).
Result - PC with sensitive CD still in the drive gets sold.
How many days do you think it will be before the government tries to charge him with something or the bank in question tries to sue him? I'd be pleasantly surprised if neither happened.
Also, the summary leaves out something that might affect those of us on the other side of the pond:
Bold mine. I know they have different branches for countries and such, but I wonder if any of this data crossed international bounds.
I bought a sun box at goodwill once and besides an intact customer database for several large companies, it also had the admin's personal backup files, including his "My Documents" folder, his Palm cell phone, and 1200 dpi scans of his passport. Oh, and some file called "passwords.doc". No idea what is in there...
More details here:
http://lfnet.net/blog/?p=41
But yeah... wipe it before you get rid of it.
I was just going to pick up a cheep 1U server for a Mod Project! Now i've no chance! Everyone will be buying up every server hoping for Disks full of Banking details now!! :(:(
Laters Sol "Have you found the secrets of the universe? Asked Zebade "I'm sure I left them here somewhere"
Oh, crap.. i was outbid by £10. If only i knew the content..
Why? He is going to lose the system and runs the risk of being locked up as a thief. I would say you doged a bullet (unless you are joking).
http://michaelsmith.id.au
You might not have seen the video clip with the article [I don't know if it's visible outside the UK] but the guy said he bought two servers, one booted and had been wiped, the other didn't boot. It didn't boot because it was missing it's ram (or the chip was unseated), so anyway, he sorted that out, booted it up and found the data.
Soooo... one wonders if the machine didn't get wiped simply because the various techs could boot it and decided it was too much effort to move the drives to another machine?
Its tough to sell a machine with no O/S on it. Most buyers will take one look at the retail price of XP (for example) and subtract that from their eBay bid. Most sellers are unwilling to risk a complete disk scrub and reinstall. Even if they are, its doubtful that they still have (or ever had) media to do an install on a clean system. The most that the non-tech savvy will attempt is to drag the contents of 'My Documents' to the trash can icon.
This is an opportunity for a Linux distro. Include an easy-to-use boot/nuke/install mode and offer them to people who put systems up for sale on various web sites.
Have gnu, will travel.
If the machine came in contact with this data, why the drives were even sold is beyond me. The drives should have been removed and run through a shredder / grinder.
Any machine that contained data or could have contained such as this should have been through a more... robust... decomissioning process.
Curiosity was framed; ignorance killed the cat. -- Author unknown
thats a really really stupid idea. he'd have been thrown in the slammr for sure. he only had 2 options. stay quiet and tell no one at all, or go full blown public screaming from the hill tops so that there was too much public attention to risk making him disappear.
If you mod me down, I will become more powerful than you can imagine....
I know in the Slashdot world of spooks and big evil government everyone's out to get you and you have to play the paranoid schizophrenic... back in the real world you don't get disappeared for doing the large scale equivalent of handing in a wallet that you've bought from a guy down the pub and found to have someone else's credit cards in it.
Really, go out a bit in the world and relax - your bank manager is a human, maybe you even know them fairly well, and definitely they'll be happy with you for reporting it: the best possible outcome is a bonus for them, and that means more love for you. The worst is that he doesn't believe your story, which is fairly easy to defend to him, his boss, the police or a court given that you have evidence that you just bought the machine on eBay and you've walked right into the bank with the offending kit.
(Now if the documents were national security then you might want to do as this man has done. But you're fairly misguided if you think a high street bank has the power to intern you.)
Ach, don't worry..
In a couple of weeks, as the economy slips further into the blessed state of Titzup, you'll be able to purchase the bank itself on Ebay c/w whatever assets the FatCats have left it with for a fraction of what he paid for this server alone..
The CIA is already on their way, your tarring and feathering shall commence very soon. It took them only 2 more seconds to find you since you posted as AC.
Put that tin foil hat on ASAP
Learn it, know it. A very simple utility for wiping drives that you can run as a boot disk.
I swear to God...I swear to God! That is NOT how you treat your human!
Sorry, but I think my need to have companies deeply afraid of losing my confidential information outweighs your need to have cheap second hand hardware for hobby purposes. If the morons have to crush entire machines to get it right, go ahead and crush them.
OK, I have to pipe up on this one.
I've previously worked a few freelance tech gigs at RBS and the one thing I can say with certainty is that their internal security is extremely tight. Tighter than anywhere else I've worked in my time. The fact that anything gets done, EVER, is a minor miracle in the face of the mountain of red-tape, security, bureaucracy and general faffing with sign-offs and corporate governance that is needed to do pretty much anything.
So, I'm going to pipe up on behalf of RBS, your honour... :-)
Thing is, one thing I categorically don't believe is that the responsibility for handling customer data like this would fall to one individual without direct accountability. Knowing RBS, there would be forms to fill in, checks made, audits done and any handling of customer data would need to be signed off at a high level, and would be entirely traceable. Which is to say that if there's a breach, I don't think it's likely to be a break-down in procedure.
Now, you might laugh about this, but I know how many hoops I had to jump through to get things like dev rights on a developer box ("so, let me get this straight, sir, why do you need to be able to write to the C: drive?" - that sort of dumb thing) so I really doubt that a half-wit in marketing or HR or whatever would be entrusted with such data. It is kept under lock and key and it would certainly be VERY UNUSUAL to be allowed to make a cd copy of customer data. To do so would require sign off from Very Senior Management (at Director level), and hence visibility at EVERY STAGE and accountability for EVERY ACTION would be enforced with *GREAT RIGOUR*...
So my money is that this isn't what it at first appears to be - it could be the case that this is something else and the press have got the wrong end of the stick.
Or maybe I'm wrong. Often am, you know... ;-)
To be honest, I don't care about your need to buy second hand hardware on eBay cheaply, but I do care about my bank's incompetence at keeping its data secure (I'm a customer of Nat West, possibly soon to be ex customer). If this man had tried either of your suggestions, I would never have known about their stupidity.
You really do need to get a sense of perspective.
All I want is a secure system where it's easy to do anything I want. Is that too much to ask ~~ Randall Munroe
Yes and it's still being covered up today. That's why we've modded you -1. :)